AT&T agrees to $25 million penalty for data breach

AT&T (T) has agreed to pay $25 million to regulators following a probe that determined call-center workers in the Philippines, Mexico and Columbia had improperly accessed information on nearly 280,000 American consumers.

The employees gave customer names and full or partial Social Security numbers to third parties who used the information to ask that mobile phones be unlocked so they would work on rival networks, the Federal Communications Commission (FCC) said Wednesday in a news release.

"The Commission cannot -- and will not -- stand idly by when a carrier's lax data security practices expose the personal information of hundreds of thousands of the most vulnerable Americans to identity theft and fraud," FCC Chairman Tom Wheeler said in the release.

The customer data wound up in the hands of people who apparently trafficked in stolen or secondary-market phones they wanted to unlock, the FCC said.

"We are terminating vendor sites as appropriate. We've changed our policies and strengthened our operations. And we have, or are, reaching out to affected customers to provide additional information," Emily Edmonds, an AT&T spokeswoman, said in an email.

The FCC called the settlement its largest privacy and data security enforcement action yet.